Community discussions

MikroTik App
 
JLLBEE
just joined
Topic Author
Posts: 3
Joined: Tue Nov 15, 2011 10:11 pm

forward internal traffic to internal webpage

Fri Sep 16, 2022 7:38 pm

The issue: We have a webpage - subpage.webpage.com which is working from the internet - this page is running on our internal server. We use a Watchguard Firewall which routes this traffic to the webpage with a port attached - 9000 (subpage.webpage.com:9000) - this work great from the internet. We would like to access this page from our Intranet, but can not get it to work unless we setup a host file on each computer to route it. Being that we have over 800 computers i would like to find a way to do it with the mikrotik if possible. We do not use the firewall on the mikrotik right now. Our DNS server is also internal. We have a range of public IP's form our ISP, and we use one of them for the traffic to this Webpage on the watchguard. also our lan is a different subnet then the Websever.

Watchguard Firewall
ether0 - 111.111.111.1/29 - Internet (external)
ether1 - 222.222.0.0/16 - LAN (trusted)
ether2 - 333.333.333.0/24 - Server network (trusted)
ether3 - 444.444.444.1/30 - SIP Network for Phones (External)

SNAT - 111.111.111.3 to 333.333.0.2:9000

Mikrotik
ether1 - 222.222.0.0/16 - LAN Subnet (This also has our internal DNS)
ether7 - 333.333.333.0/24 - Server Subnet (This subnet is used for other internal servers that the LAN is able to reach)
ether1 thru ether10 are all used for different subnets - ether1 being the default

Webpage: subpage.webpage.com = 111.111.111.3/29

Webserver is : 333.333.333.2/24

From internet webpage works great.
From LAN, only works if there is a Host file with: "333.333.333.2 subpage.webpage.com"
Don't want to manage host files - can i do this with the microtik so internal PC's can reach this website?

Thanks
John L.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: forward internal traffic to internal webpage

Fri Sep 16, 2022 9:18 pm

If internal client tries to resolve subpage.webpage.com, which address does it get?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: forward internal traffic to internal webpage

Fri Sep 16, 2022 9:34 pm

There are two ways to solve the problem:

A. Set DNS to answer to local clients with local address of the server instead of public one

B. Use harpin https://help.mikrotik.com/docs/display/ ... HairpinNAT
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: forward internal traffic to internal webpage

Fri Sep 16, 2022 11:51 pm

Option A is messy in OP's case as backend server seemingly runs on non-standard port.

And option B might not be needed if indeed server resides in different subnet than LAN clients are.

So let's hear from OP some further detail before we dive into guess-game too deep.
 
JLLBEE
just joined
Topic Author
Posts: 3
Joined: Tue Nov 15, 2011 10:11 pm

Re: forward internal traffic to internal webpage

Mon Sep 19, 2022 2:27 pm

If internal client tries to resolve subpage.webpage.com, which address does it get?
they will get the 111.111.111.3/29 - This domain is hosted via a third party and we forward the request to our internal server where the webserver resides.

Thanks
John L.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: forward internal traffic to internal webpage

Mon Sep 19, 2022 2:48 pm

Sounds like you need to implement hairpin NAT on watchguard ... I'm not sure how to do it there but essentially you have to add SRC NAT rule which replaces src-address for packets originating from internal networks and targeting the DST NATed server. Without it, the internal server sees client IP address, sends reply to it bypassing watchguard (who is supposed to do inverse of DST-NAT on return packets). This makes clients mighty confused.

So it's option B from the post by @BartoszP ...
 
JLLBEE
just joined
Topic Author
Posts: 3
Joined: Tue Nov 15, 2011 10:11 pm

Re: forward internal traffic to internal webpage

Mon Sep 19, 2022 3:25 pm

Sounds like you need to implement hairpin NAT on watchguard ... I'm not sure how to do it there but essentially you have to add SRC NAT rule which replaces src-address for packets originating from internal networks and targeting the DST NATed server. Without it, the internal server sees client IP address, sends reply to it bypassing watchguard (who is supposed to do inverse of DST-NAT on return packets). This makes clients mighty confused.

So it's option B from the post by @BartoszP ...
Thanks, Guess i need to learn how to set that up..........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: forward internal traffic to internal webpage

Mon Sep 19, 2022 7:49 pm

viewtopic.php?t=179343 if you prefer plain english compared to MT hieroglyphics. ;-)

Who is online

Users browsing this forum: Bing [Bot], cyrq, JDF and 90 guests